Cybersecurity researchers from the Chinese information security firm Netlab Qihoo 360 reported that at the beginning of this year the authors of the Mozi IoT botnet were detained by Chinese law enforcement authorities, nearly two years after the malware appeared on the threat landscape in late 2019.
“Mozi uses a P2P [peer-to-peer] network structure, and one of the 'advantages' of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices, that is why we can still see Mozi spreading," said Netlab researchers.
The development takes place within two weeks after Microsoft Security Threat Intelligence Center disclosed the malware's new capabilities allows it to block the web traffic on compromised systems via techniques such as DNS spoofing and HTTP session hijacking aimed at redirecting users to malicious domains.
At its peak, the malware infected up to 160,000 systems a day and in total managed to compromise more than 1,500,000 different devices, more than half of which (830,000) were located in China, according to a report from Netlab Qihoo 360.
Mozi, which emerged from the source code of Mirai variants and the Gafgyt malware, has accumulated over 15,800 unique command and control nodes as of April 2020, up from 323 nodes in December 2019, according to a report from Lumen's Black Lotus Labs. By the time the malware was discovered by 360 Netlab researchers, it was actively targeting Netgear, D-Link, and Huawei routers by probing for weak Telnet passwords to compromise them.
Exploiting the use of weak and default remote access passwords as well as through unpatched vulnerabilities, the botnet propagates by infecting routers and digital video recorders to co-opt the devices into an IoT botnet, which could be abused for launching distributed denial-of-service (DDoS) attacks, data exfiltration, and payload execution.
According to Netlab, the creators of Mozi also packed in additional upgrades, which includes a mining trojan that spreads in a worm-like fashion through weak FTP and SSH passwords, expanding on the botnet's features by following a plug-in like approach to designing custom tag commands for different functional nodes. "This convenience is one of the reasons for the rapid expansion of the Mozi botnet," the researchers said.
"The Mozi botnet samples have stopped updating for quite some time, but this does not mean that the threat posed by Mozi has ended. Since the parts of the network that are already spread across the Internet have the ability to continue to be infected, new devices are infected every day,” the researchers warned.
The malware also used the DHT protocol to design a peer-to-peer (P2P) system between all the compromised devices, allowing bots to send updates and operational instructions to each other directly, which also allowed Mozi to continue to perform even without a central command and control (C&C) server.
